11-16-2023 04:14 PM
Hi All
Network setup before my time and all traffic was routed via a proxy.
We upgraded our firewalls and now don't need the old proxy.
However our switches still have ACL's on them while we migrate to the FW.
I'm struggling to find the right IP to internet.
Currently I"m doing a
permit ip 10.10.11.250/32 any
What i have tried in place of the above.
But still get nothing.
permit ip 10.10.11.250/32 10.86.10.1/32
permit ip 10.10.11.250/32 10.10.10.0/23
permit ip 10.10.11.250/32 10.81.220.0/24
From my DC cores I have done a
show ip route 10.10.11.250
IP Route Table for VRF "default"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
10.10.10.0/23, ubest/mbest: 1/0
*via 10.86.10.1, [1/0], 4w1d, static
What am i missing?
11-16-2023 06:28 PM
The drawing does give us an idea of your environment. But I am not clear what you are really asking. It seems to be about access lists. But what kind of acl, on which device, and what do you want it to do?
11-16-2023 09:14 PM
Hey @Richard Burts
I'm trying allow internet to the 10.10.11.250.
But not with an any rule.
Because then all my post acls are irrelevant, which i cannot have.
I'm trying to get to
permit ip 10.10.11.250 x.x.x.x eq 443
permit ip 10.10.11.250 x.x.x.x eq www
trying with the above I don't get a connection using the any destination.
11-16-2023 10:25 PM
If the issue is that 10.10.11.250 does not have Internet access my first question is are you sure that it is an issue with access lists? Is it possible that the device does not have a correct default gateway? Is it possible that there is not a correct Network Address Translation entry for that address?
If you traceroute (or tracert depending on OS) how far does it get?
11-16-2023 11:02 PM
I am too dont get it what issue here
11-19-2023 05:15 PM
default gateway is 10.10.10.1 as it's a /23
NAT is in place
On the acl's icmp is set to
permit icmp any any
if i do a ping to 8.8.8.8 it does complete to google.
I would expect that the below would get me internet?
permit tcp 10.10.11.250/32 10.86.10.4/32 eq 443
permit tcp 10.10.11.250/32 10.86.10.4/32 eq www
But it only works if i do
permit ip 10.10.11.250/32 any
11-20-2023 06:16 AM
Thanks for the update. If it only works if you permit "any" it suggests that something else is required - DNS comes to mind. Try adding a specific permit for DNS and tell us the result.
11-20-2023 06:21 AM
Can I see NAT rule you use ?
11-20-2023 07:09 PM - edited 11-20-2023 07:10 PM
Hey all
DNS is going to my Domain Controllers a few ACL's before.
Which does all seem to work.
permit udp any eq bootps any eq bootps
permit udp 10.10.10.0/23 10.10.110.27/32 eq domain
permit tcp 10.10.10.0/23 10.10.110.27/32 eq domain
I now have gotten it to work with, after chatting to a friend.
permit tcp 10.10.11.250/32 any eq 443
permit tcp 10.10.11.250/32 any eq www
I would have though i could have put in the layer3 IP address.
to get internet out?
permit tcp 10.10.11.250/32 10.86.10.4/32 eq 443
permit tcp 10.10.11.250/32 10.86.10.4/32 eq www
My friend says it need to be
any
the whole scope is being NAT'ed out, on the firewall.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide